Privacy Breaches in Canada – Losses Mounting

Canada is no longer a safe haven when it comes to avoiding damages arising out of privacy breaches. Class actions are here. Regulatory and criminal investigations are here and so too are individual actions resulting in damage awards. The losses are mounting and regulators are crying for legislation to impose substantial fines. The times, they are a changing. If you are interested in examples of Canadian breaches where losses have occurred, read on.

It is no secret that there is a startling rise in privacy breaches in Canada these days, with a resulting increase in regulatory investigations and legal actions arising out of those breaches. Where a few years ago it was easy to find examples of breaches but difficult to find examples of losses arising from them, the environment in the US, and increasingly in Canada, has changed. Class action litigation and individual actions relating to privacy breaches in Canada are no longer just hypothetical, they are a new reality. The actions tend to involve disclosure of personal information through insecure disposal of records, theft and loss of unencrypted data on mobile devices, and unauthorized access to records. Set out below is a discussion of some of the recent cases resulting in actual losses.

Privacy Breach Class Actions

The year 2013 began with a shocking disclosure as Human Resources and Skills Development Canada (“HRSDC”) admitted to the loss of a portable hard drive containing unencrypted personal and financial information, including SIN numbers and birth dates, of more than half a million people who took out student loans and 250 employees. Reports allege a two-month delay in notification to the public of the breach. Three class actions have been launched and both the RCMP and the Privacy Commissioner are investigating. Affected persons are being notified by letter and a hot-line set up to handle inquiries has reportedly received over 40,000 calls. This announcement follows the recent disclosure by HRSDC of another breach involving the loss of a USB key from an office in Quebec, containing personal information of more than 5,000 Canadians.[i]

The year 2012 saw a number of high profile breaches in the health industry resulting in losses, including costs to notify affected individuals, defence costs to respond to class actions and regulatory investigations, and several involving the business costs of terminating employees and responding to resulting lawsuits. In May, the Peterborough Regional Health Centre fired 7 employees who inappropriately accessed patient records.[ii] In BC, the provincial government disclosed that in three instances of data breaches in October 2010 and June 2012 more than 5 million persons’ personal-health data had been accessed without permission. This led to the costs of responding to an investigation by the Privacy Commissioner and notification of more than 38,000 individuals by letter. Furthermore, the government is dealing with costs associated with the termination of 7 employees, at least two of whom have launched separate lawsuits in response to their terminations.[iii]

In one of the most high profile privacy breaches in 2011, Sony Corp. is facing at least 25 lawsuits, including class actions in Canada[iv] and the U.S., over theft of personal data of more than 100 million video game users. Sony was criticized for not telling customers quickly enough about the breach. In the wake of this massive breach Canada’s privacy commissioner publically called for the power to impose “attention-getting fines” when major corporations fail to protect personal information.[v]

In 2011 the Ontario Superior Court granted certification of a class action against Durham Region Health[vi] when a nurse employed by the Durham Region Health Department allegedly lost a USB thumb drive containing personal and confidential health information relating to flu vaccinations to patients. The action followed an investigation and Order by the Ontario Information and Privacy Commissioner citing numerous breaches of the privacy health legislation. In the action, the plaintiffs sought $40 million in damages, citing risk of identity theft as a factor. The certification Order, which was largely made with the consent of the defendants, required the defendants to pay for the costs of notification of class members (approximately 83,500 patients) and for the costs of the operation of the program whereby individuals can opt-out of the action if they choose. The action was settled shortly after certification, with the Region agreeing to pay up to $500,000 on account of the plaintiffs’ costs, and individual payments to those affected individuals who can prove financial loss.[vii]

Honda Canada, Inc. is facing a class action launched in 2011[viii] on behalf of 283,000 customers after their personal information, including names, addresses, VINs, and financial account numbers were accessed by hackers. The action seeks $200 million and faults delayed notification of the breach to affected individuals by Honda.

A long-standing class action by staff at a federal prison in Kingston against Corrections Canada[ix] was settled in 2010. The staff sued on the basis of a privacy breach when a list including the names, home addresses, phone numbers, and names of spouses of 366 staff fell into the hands of convicts at the prison in 2003. The settlement provides for payment to each staff on the list of at least $1,000, and higher payments up to $10,000 to staff and their spouses who can establish they suffered serious psychological harm. Corrections Canada also agreed to pay the plaintiff’s legal bills, totaling more than $140,000, and was to review privacy protection at 11 other federal facilities in Ontario, which review was to be submitted to the Privacy Commissioner of Canada.

In March 2010 CIBC agreed to compensate customers whose personal information was inadvertently sent by fax to businesses in the U.S. and Quebec.[x] The settlement of the class action included individual offers to be made to class members, with the court recognizing that damages including general damages and those arising from identity theft would be recoverable, together with a $100,000 payment to a charity.

DaimlerChrysler Financial Services Canada Inc. was the subject of class actions after the loss of a hard drive containing personal financial information of customers by a courier.[xi] The plaintiff’s alleged anxiety and fear due to loss of information and potential for fraud or identity theft, together with costs and inconvenience of need for credit monitoring.

In February 2008 a global settlement was reached in the Canadian part of class proceedings brought in the U.S, Puerto Rico and Canada[xii] following fraudulent computer system intrusions of customers of TJX (often referred to as the “Winners breach”). The settlement of the Canadian component of the action resulted in eligible class members receiving credit monitoring services, vouchers, cash benefits (cheques), identity theft insurance, reimbursements and sales events.

Privacy Breach Individual Actions

Class actions have not been the only forum for litigation of privacy breaches in Canada. Examples of individual suits resulting in damage awards have shown Canadian courts are willing to put a value on the damage caused by invasion of an individual’s privacy, even where there are no actual losses. Although the cases are specific to their individual facts and to the law applicable in the jurisdiction in which the action was brought, they may be useful in predicting the likelihood of an award, and the quantum of such an award, in future breaches. These cases include:

Recognition by the Ontario Court of Appeal of a new tort for invasion of privacy in the 2012 landmark decision in Jones v Tsige[xiii]where the Court awarded $10,000 in damages to a man whose former wife, a bank employee, inappropriately accessed personal banking information about her ex-husband’s new partner 174 times. The Court imposed a cap of $20,000 where there has been no pecuniary loss, and although the possibility exists for punitive or aggravated damages on top of this amount, they would only arise in exceptional cases. It is important to note that this is a common law cause of action, separate and apart from any remedy under Personal Information Protection and Electronic Documents Act (“PIPEDA”) or other similar privacy legislation. It remains to be seen whether entities subject to PIPEDA or similar legislation will be subject to duties and remedies under both this new common law action and the relevant statute. Furthermore, this new tort will be available to plaintiffs in class actions alleging privacy breaches.

An award of $100,000 for punitive damages by the Quebec Court of Appeal in a 2010 decision[xiv] against Standard Life. The plaintiff had been receiving disability benefits and as a result of surveillance by Standard Life the investigators accidently recorded the plaintiff’s brother engaging in very active tasks which led to the termination of the plaintiff’s benefits.

A Federal Court decision in 2011[xv] ordering a Canadian bank to pay damages based on a breach of the federal privacy legislation by one of its employees. Contrary to the bank’s policies, in response to a subpoena, the employee had provided private bank information to a customer’s ex-spouse who was involved in a contested divorce. Despite arguments challenging the cause of the complainant’s alleged “humiliation” being related to the privacy breach, the court found the breach warranted damages in the amount of $4,500, plus interest and costs.

An action in B.C.[xvi] by a business woman against her ex-husband, a doctor who accessed private information about her on an old home computer and published the information online and in emails. The B.C. Supreme Court awarded the plaintiff $20,000 for breach of privacy and defamation.

An action in the Federal Court of Canada in which a businessman was awarded $5,000 plus costs for humiliation arising from the provision of inaccurate credit information by a credit reporting agency.[xvii]

A fine of $750 under B.C.’s privacy law following a 2-week trial against a city councilor for giving CBC an internal privileged and confidential workplace harassment report by the local RCMP detachment.[xviii]

Privacy Business Practices

In another rising development, companies have been subject to lawsuits as a result of their business practices and handling of personal information. These actions tend to allege acquisition, use or disclosure of personal information without consent; breach of a company’s own privacy policy; or diversion of personal data for profit. For example, Facebook Inc.,[xix] has been sued in Quebec and Manitoba for allegedly mishandling users’ private information and breaching privacy, including intentionally using information for commercial purposes. A settlement was reached calling for Facebook’s updated privacy policy to be maintained in the same form for at least 3 years, for payment of plaintiff’s counsel’s fees up to $75,000, and a payment of $1,000 to the class representative.

In another case, a proposed class action was initiated in Quebec against Bell Canada[xx] on behalf of internet subscribers who alleged Bell’s business model deliberately favoured business users, and breached privacy rights by allowing Bell to access and collect the content of subscribers’ messages, without their consent.

In a health sector case, in May 2011 the B.C. Supreme Court issued an Order to proceed in a class action against the Provincial Health Services Authority over the collection and storage of B.C. and Yukon newborns’ blood.[xxi] The issue relates to the use of the stored information for medical research, and for indefinite storage, without permission.

Conclusion

Privacy litigation is still in its early stages in Canada. Many of the cases noted above are still at the preliminary stages, or have settled with little, if any, judicial pronouncement. The emergence in Canada of mandatory notification to individuals, and/or the Privacy Commissioner when a privacy breach has occurred,[xxii] although not yet fully enacted in Canada, will without doubt fuel litigation. The simple fact of being alerted to the potential of harm is enough to persuade some people to sue. Many companies are already aware of the potential first party costs associated with such notification, and the associated costs to mitigate and assess damages, such as crisis monitoring, public relations, IT security and forensics.

In this changing environment companies are taking more care to learn about, and put in place effective solutions to these risks, including specialized Privacy and Network Liability Insurance. These products are not a one size fits all solution. Expert advice in assessing risks and ensuring the proper insurance coverage is in place is essential.

Related posts:

Grey Swan

Grey Swan provides specialized independent insurance advice delivering a focused perspective to clients that is based on the over 25 years of insurance industry, legal, and claims experience that our founder brings to the table.

The first auto insurance policy was issued in the U.S. in 1898 and offered US$5,000 of liability coverage to Dr. Truman Martin of Buffalo, New York. As the Insurance Journal remarks, “Martin would likely have...

Testimonials

Ether Capital Corporation (“ETHC”), a public company established to provide shareholders with an opportunity to invest in the revolutionary Ethereum technology, retained Grey Swan to advise on insurance coverage. Murn Meyrick was very helpful in understanding our business and priorities and analyzing available coverage options. The extent of Murn’s experience, expertise and attention to detail was critical in negotiations with insurers to draft and secure appropriate policy wording and terms in this newly emerging industry. I would not hesitate recommending Grey Swan for specialized insurance advice in the blockchain industry, and otherwise.

Jessica Palter, Vice-President, General Counsel Purpose Financial

We have used Grey Swan on a number of occasions to draft or review bespoke policy forms. Murn’s extensive knowledge and experience in many aspects of insurance, regulatory requirements and claims handling is a valuable resource for Red Rock as well as our Syndicate partner at Lloyd’s. We are always assured of thorough, yet timely responses.

Peter Beepat, President Red Rock Insurance Services Ltd.

We recently engaged Grey Swan to assist us in developing four new niche insurance products. We immediately noticed that the breadth of experience brought to bear on this project was tremendously valuable and ultimately assisted us in ensuring we delivered class leading products. Murn Meyrick's level of accountability and professionalism truly stand out and we would not hesitate to work with Grey Swan again on future projects.

Carl Spensieri, Vice President Environmental Berkley Canada

Our firm recently retained Murn Meyrick to review and comment on the directors’ and officers’ liability insurance coverage available to our clients. Murn’s reports reflected the depth of her knowledge and experience. Her analysis was thorough and she made very helpful and practical suggestions and recommendations. She was also responsive to our time constraints, and provided all the assistance that was required to answer all coverage questions. I would not hesitate to seek her assistance again.

Marie-Andrée Vermette, Partner WeirFoulds LLP

"We chose Grey Swan to assist us in a time sensitive claim situation and were impressed with Murn Meyrick’s efficient, professional manner - an approach that not only inspired confidence, but provided the strategic solution we needed. Because of Murn’s years of experience she was able to provide helpful, knowledgeable advice within an exceptional response time. We would not hesitate to turn to Grey Swan again."

Jan Kasperski, CEO Ontario Psychological Association

“We chose Grey Swan to strategically advise us in a particular segment that we believed was currently underserved in the Canadian marketplace. The depth of experience provided by Grey Swan, and 360 degree view of the issues, provided us with a value-added perspective in this initiative."

Dane Hambrook Ironshore Canada Ltd.

“I have recently had the opportunity to retain Murn Meyrick as an expert on policy construction and interpretation. Her report was thorough and very easy to follow. She also performed exceptionally well under cross-examination."

Maria Di Pietro, CIP ACE INA Insurance

“Grey Swan was retained by Chubb to assist with handling claims inventory. Not only did they efficiently and professionally deal with insureds, brokers and defence counsel, they recommended efficiencies in claims processes on large "bordereau"-type accounts."